I use a GoDaddy 2048bit cert on my personal server with no issues. In imapd.conf I have set the following: tls_cert_file: /etc/pki/cyrus-imapd/<domain>.crt tls_key_file: /etc/pki/cyrus-imapd/server.key tls_ca_file: /etc/pki/cyrus-imapd/gd_intermediate_bundle.crt (I think this one is only for authorizing inbound client certs) tls_ca_path: /etc/ssl/certs My gd_intermediate_bundle.crt contains the 2 intermediates and the root certs in PEM format, cat'd together. Order shouldn't be significant, but in mine, the order is (by cert subject): CN=Go Daddy Secure Certification Authority/serialNumber=07969287 C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@xxxxxxxxxxxx Basically listed in the 'correct' order of the chain. To Kevin's point about the private key, I agree that you should remove the passphrase from your key. It will only cause complications with startup. Hope this helps, -Chris On 3/1/2011 9:22 AM, Kevin Kobb wrote: > On 2/28/2011 9:44 AM, Anthony Tibbs wrote: >> Good morning, >> >> I've been running Cyrus at a couple of small sites since 2001 or so. >> I've run into a snag trying to setup SSL using something other than the >> self-signed, auto-generated certificate. The domain has a GoDaddy >> 2048-bit SSL certificate. From the SSL manager, one downloads a bundle >> that contains a certificate chain bundle, and a separate file with the >> certificate for the domain itself. >> >> The key and CSR was generated with: >> >> openssl genrsa -des3 -out xxx.key 2048 >> openssl req -new -key xxx.key -out xxx.csr >> >> I've seen a few different methodologies posted about how to install >> this. One is to conctenate the domain certificate, the certificate >> chain, and the private key into one .pem file and set tls_cert_file, >> tls_ca_file, and tls_key_file to point to the same '.pem' file. Another >> is to keep the files completely separate. >> >> No matter what I have tried, I've been unsuccessful. Thunderbird reports >> that it received an SSL record that is too long, and/or the imapd >> process becomes stuck at 100% CPU utilization until it is killed forcibly. >> >> Is there something I'm missing on this? >> >> - Anthony >> >> >> >> ---- >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > Couple of things you might look at. First, I think you need to drop the > -des3 option when you create the private key. Do something like: > openssl genrsa -out xxx.key 2048 instead. Otherwise, you wind up with an > encrypted private key that needs a pass phrase every time you start the > server. I didn't think Cyrus would even start with a key like this. > Apache is about the only thing I've used that would prompt you for a > pass phrase on start up. > > To remove the key pass phrase you can do something like: > openssl rsa -in xxx.key -out xxx.key.nopass > > I haven't used GoDaddy certs for a while because you had the extra > hassle of dealing with intermediate certificates, and I can get > single-root certs cheaper. That being said, I believe all you should > need to do is cat the signed cert and the intermediate cert together, > and use this for the tls_cert_file: value in imapd.conf. Point the > tls_key_file: value to your private key, and that should do it. > > This is all off the top of my head and a sick child meant I only got > about 3 hours of sleep last night, so please make copies of everything > before trying any of this! > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
